The real challenge in these situations is that the design and protocols of the Internet were not designed to defend against malfeasance.

To a degree we are like the little Dutch boy in Hans Brinker attempting to save ourselves by plugging holes in the dike.

We must bootstrap the Internet into modern times by taking things like DNSSEC seriously.

Stealing someone’s password or convincing an innocent customer service representative you are someone else should not be sufficient to take over someone’s online identity.

Stay vigilant, folks, and look into what your organization’s DNS provider offers in the way of protection.

Note: Folks seem to think that I am suggesting DNSSEC would have prevented this. Not in this case, but it is another piece of the puzzle that needs to fall in place to shore up the integrity of our name resolution system.

While DNSSEC can augment the security of host/domain queries, it does nothing to stop attacks similar to the one described. DNSSEC relies on a chain of trust which begins at the registrar. Corrupt the record at the registrar (which SEA has done in each of the attacks described) and DNSSEC provides no value.

The proper fix is to use a registrar that provides strong authentication prior to permitting zone changes. For example decent two factor authentication for their management interface, required verification to a fixed call back number, etc. will do far more to prevent these attacks than DNSSEC.

In addition, the DNSSEC spec still needs work so that hosts supporting it do not automatically become DDoS amplifiers. This needs to be fixed before the spec can be widely deployed.

Starting today, I have seen a rash of what appears to be posts from hacked accounts on facebook. The text is always the same, “check your last profil visitor”, (with profile misspelled). Then the link which starts with adf(period deleted by me)ly. I have already seen these posts on six different group pages. What is this, and will Sophos’s “cleaner” fix it?